Have you checked certificates ?

https://www.freeipa.org/page/Certmonger#Get_a_list_of_currently_tracked_certificates

Have you check Kerberos logs, Dirsv logs, Tomcat logs?

https://www.freeipa.org/page/Troubleshooting/Administration_and_Web_UI
 
On 6 Dec 2019, at 17:29, Christian Reiss via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Hey Angus,

thanks for replying. Allow me to reply inline:

On 06/12/2019 16:00, Angus Clarke wrote:
Have you checked your times are in sync within 5 minutes?

Yes. And it's monitored.

Have you checked DNS is working for all node entries between all nodes?

Yes. And it's monitored. Even PTR <-> A check.

Have you used ipactl [status|restart|stop]?

Yes.

[root@auth1:~] # ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@auth2:~] # ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

auth3 is down.

 -> Do you see certain services fail and have you checked their logs?

Well thats the wild thing. ipa cli (host remove, host add etc) all work from auth1 (which the webui does not allow access). And all changes are propagated to auth2. Same for the other way around.

It's just the login to auth1.

I'm hoping your remaining IPA server is the renewal master:
On remaining good server:
kinit admin
ipa config-show | grep "IPA CA renewal master"

auth1 and auth2 agree on auth1 being the IPA CA renewal master.

If it is then the following rebuild instructions should be ok.
If it is not, then you prolly need some other advice (I haven't faced that situation yet ...)
> [...]

The following items seem to mix my two problems.

a) auth1 web login broken,
b) auth3 needs re-setup.

Any clue on how to debug the web login (or lack thereof) issue?
Chedked httpd logs, nothing to see there in the error logs....

Cheers,
Chris.

--
Christian Reiss - email@christian-reiss.de         /"\  ASCII Ribbon
                  support@alpha-labs.net           \ /    Campaign
                                                    X   against HTML
WEB alpha-labs.net                                 / \   in eMails

GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C  A4ED 44E2 9126 ABCD 43C5

"It's better to reign in hell than to serve in heaven.",
                                         John Milton, Paradise lost.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

-----------------------------------------------------------------------------------

This e-mail can not be trusted due to SPF/DKIM validation failed.

-----------------------------------------------------------------------------------